Overview
Explore the practical implications of hardware backdooring in this Black Hat USA 2012 conference talk. Delve into the world of Rakshasa, a generic proof-of-concept malware for Intel architecture capable of infecting over a hundred different motherboards. Learn how this malware permanently disables NX and removes SMM-related fixes from the BIOS, resulting in long-term security vulnerabilities. Discover how preexisting work on MBR subversions, such as bootkiting and preboot authentication software bruteforce, can be easily integrated into Rakshasa. Examine the use of free software, including the Coreboot project, in building this malware. Gain insights into Coreboot and hardware components like BIOS, CMOS, and PIC embedded on motherboards. Understand the inner workings of Rakshasa and witness its capabilities through demonstrations. Consider the implications for the integrity of non-open source firmwares shipped with computers and reflect on the need to update best practices for forensics and post-intrusion analysis to include these firmwares. Cover topics such as generic exploits, removing NX bit, CPU updates, SMM, bootkits, portability, mitigations, and various backdoor techniques including network card and PCI backdoors.
Syllabus
Introduction
China
State of the art
How it works
Generic exploit
Removing NX bit
CPUID instruction
Changing permissions
Changing CR0
CPU Update
SMM
Bootkit
Windows
Portability
Demonstration
Mitigations
Antivirus
Floppy
Flash BIOS
Network Card Backdoor
PCIFEM
Remote Flashing
Network Packet Flashing
Taught by
Black Hat